It is common practice within information technology applications to use passwords or other codes to identify users. By way of example, access to software applications, internet banking or online purchasing applications and telephone banking services may require user identification by means of passwords selected by the user.
Identity fraud is a major concern to industries such as retailers, credit card companies and banks and thus password security is of paramount importance. It is generally accepted that password security, in the sense of resistance to a so-called “brute force attack” in which a password is cracked by systematically trying all possible passwords, can be increased by the use of longer, more complex passwords.
For example, while a 4-bit (i.e. 4 character) password would require only 24 calculations in order to try all possible combinations, a 128-bit (i.e. 128 character) password requires 2128 calculations in order merely to sequence through the possible values. It is calculated that the energy required to break a 128-bit symmetric password is more than 30 gigawatts of power for a full year. In addition, the time to check all 2128 possibilities of a 128-bit key using a processor capable of checking 1018 combinations per second would require approximately 1013 years.
These energy and time restrictions render 128-bit passwords impractical to cracking by brute force attack methods using current technology and resources. However, the user's ability to accurately recall and input the password decreases as the length, complexity and randomness of the password increases. Thus, it is considered unlikely that a user would be able to recall and enter a 128-bit password for identification purposes without a written prompt. This problem is exacerbated if, as is commonly advised, different passwords are set by the user to access different applications.
A solution to the problem of verifying a user's identity has been proposed in WO2007/063346. This document discloses a method for verifying a person's identity in which a Personal Identification Pattern (PIP) is registered with the authenticator. When overlaid on a pseudo-random grid of numbers, the PIP defines a sequence of numbers representing the user's password.
In use, the user is presented with a number grid and selects the numbers corresponding to the PIP. Since the PIP is known by the authenticator, the returned sequence of numbers is compared with the expected sequence according to the grid presented and the user is verified if the two sequences are identical.
Since only the pattern is known by the authenticator, the grid can be changed to include different numbers each time it is presented to the user so that a different sequence of numbers is returned each time the user is challenged. Furthermore, since each number is repeated several times in the grid, it is considered difficult for a casual observer to determine the pattern from the number sequence input by the user.
The above solution assists the user to recall and accurately input their password. However, since the solution requires a unique number grid to be presented to the user each time the user is required to be identified, significant revision to the application software and/or hardware must be implemented by the authenticator. Furthermore, the security of the password depends on the complexity of the PIP—a simple four-point PIP may be easily recalled by the user, but provides only limited security, while a more complex eight- or twelve-point PIP increases security (although only slightly) but will be more difficult for the user to accurately recall and enter.
A need therefore exists for a method, software application or device which enables a user to reliably recall and input longer, more complex passwords when verifying their identity. It would also be advantageous if such a method, application or device, were compatible with conventional text-box character entry systems widely used for personal identity verification.
It is an aim of the present invention to address one or more of these issues and to improve upon current technology and methods. Embodiments of the invention may provide a method, a device, a software program or a computer which enables a user to quickly and reliably recall and enter complex passwords of up to 128 characters. Other aims and advantages of the invention will become apparent from the following description, claims and drawings.